What Are Botnets and How to Hijack Them?

Vahab PournaghshbandComputer Science Department

University of California, Los Angeles

vahab@cs.ucla.edu

Botnets are networks of malware-infected machines controlled by an ad-versary called botmaster. Each infected machine is called a bot. While therehave been many infamous bots that attempted to infect as many machinesas possible, there are some bots that infect only specific machines with theaim of stealing valuable information while staying undetected. University ofCalifornia, at Santa Barbara (UCSB) researchers managed to hijack botnetTorpig for ten days and further analyze the botnet activities, before they losecontrol when the botnet got updated by the botmaster.

Torpig’s victims are infected through drive-by-download attacks, meaningthat they need to download and run a trojan (which can be done via variousways). Once the machine is infected, it acts as an installer for the Mebrootwhich is a toolkit used to replace Master Boot Record (MBR). This hastwo advantages: (1) it starts the malware at the boot time, and (2) it couldpotentially remain undetected by antiviruses. The victim’s machine then getsrebooted after a few minutes and the program is then loaded. Mebroot, atthis initial stage, does not contain any malicious code; however, it facilitatesinstalling, reinstalling, and updating modules. It contacts the Command andControl (C&C) servers to get the modules and then stores them encrypted(under the system32 directory) in the infected machine. Every 20 minutesthe C&C server asks the bot in the victim’s machine to upload the stolendata, and then the bot sends the encrypted version of this data to the server.Note that the cryptosystem used by Torpig has been broken in late 2008 andthus UCSD researchers decryption was rather automated. It also often usesphishing to gather more valuable information from the victim. They alsouse techniques like domain flux to remain undetected while communicating

1

with the C&C server. All bots communicate with the Torpig’s C&C serverthrough HTTP POST requests. The URL containing the request includes thebot’s ID and a submission header. The payload is just the encrypted stolendata from the victim.

What UCSB researcher did to successfully take control over the bot wasby purchasing the domains that the bots try to resolve as a tool to com-municate with C&C servers. The researchers then setup C&C servers tocommunicate with the bots. Although they had control over the bot andcould potentially extract any information they needed to further analyze thebot, they were limited to which commands they could issue due to privacyand legal issues involved with the results of those operations.

Now that we know how Torpig botnet infects the machines, it is worthmentioning the potential threats that it can impose on the victims. From datareported by the infected machines, it is clear that the primary motivationbehind Torpig is financial data stealing. The statistics the UCSB researchersgathered shows that so many credit card information have been stolen bythe bots and were reported to the botmaster. Man-in-the-browser phishingattack was one of the most effective techniques that Torpig used to gathervaluable information from the victim. It is done in a way that the user underattack observes a valid domain and even SSL certificate looks valid. Passwordanalysis is considered another form of threat to the victims. A remarkableanalysis by UCSB researchers shows that Torpig stole around 300,000 uniquecredentials (i.e. username and password pairs) most from Google, facebook,Yahoo, MySpace, and other social networking and e-mail websites. Privacy isalso a form of threat from Torpig since a trace of online activities of the usersof infected machines could be available to the botmaster. Other informationabout the users like their habits, interests, and concerns could be potentiallyextracted and reported to the botmaster. Once accessing to the stolen datain that ten days, the researchers were able to even classify the victims bytheir primary activities on the web. The last and not least threat is thedenial of service attack by Torpig due the overwhelming usage of aggregatebandwidth among infected hosts.

2

References

[1] Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M.,Kemmerer, R., Kruegel, C., and Vigna, G. Your botnet is my botnet:analysis of a botnet takeover. In Proceedings of the 16th ACM Confer-ence on Computer and Communications Security (Chicago, Illinois, USA,November 09 - 13, 2009). CCS ’09. ACM, New York, NY, 635-647.

3